Redirect all HTTP traffic to HTTPS on OpenLiteSpeed
When installing an SSL certificate on your website, you will need to ensure that all traffic is forced to upgrade from HTTP to HTTPS by means of a redirect rule.
Disable Directory Browsing
Directory browsing one of the most common security flaws in a WordPress site. By default, the webserver enables directory browsing. This means that all files and folders inside the root directory of the webserver are accessible by a visitor.
Remove query strings on static resources
Developers often add query strings to keep track of versions and to invalidate cache during development. When the query string is changed, it forces the client’s browser to download an updated copy of the stylesheet or script.
Disable WordPress XML-RPC
Attacks on xmlrpc.php are common. Not many websites actually use the XMLRPC functionality so one simple way of avoiding these attacks was to simply delete the xmlrpc.php file. However the file is restored every time you update WordPress, so this isn’t a very good solution.
Configure wp-config.php
The WordPress architecture includes a file wp-config.php which contains key settings like the database connection settings, error handling etc. This article will list some of the best practices to ensure that your wp-config.php is safely configured.
Check your HTTP status codes with httpstatus.io
httpstatus.io is a popular bulk HTTP status checker, redirect checker and header checker. You can use this tool to easily check HTTP status codes, status messages, response headers, and redirect chains returned by a server in response to a URL request by clients like a browser or search engine bot.
Disable wp-cron and configure server cron
There is a PHP function built into WordPress which is designed to replicate a cron service, which is activated whenever someone accesses the web site. This is acceptable when only 1-2 people are accessing the site, but as the website usage scales up to dozens of users, this results in an exponential load on the server.
Install and configure fail2ban
Fail2ban is a server-based intrusion prevention daemon which prevents brute-force attacks by scanning log files for authentication errors.
Disable Emojis in WordPress
I hate emojis. They’re tiny, indecipherable and ambiguous. They also add unnecessary bloat to your website. This code snippet disables Emojis throughout your site.